blob: 9af2107840312762ae77a984aea414da00562c7e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
module SystemCheck
module App
class GitUserDefaultSSHConfigCheck < SystemCheck::BaseCheck
# These files are allowed in the .ssh directory. The `config` file is not
# whitelisted as it may change the SSH client's behaviour dramatically.
WHITELIST = %w[
authorized_keys
authorized_keys.lock
authorized_keys2
known_hosts
].freeze
set_name 'Git user has default SSH configuration?'
set_skip_reason 'skipped (GitLab read-only, or git user is not present / configured)'
def skip?
Gitlab::Database.read_only? || !home_dir || !File.directory?(home_dir)
end
def check?
forbidden_files.empty?
end
def show_error
backup_dir = "~/gitlab-check-backup-#{Time.now.to_i}"
instructions = forbidden_files.map do |filename|
"sudo mv #{Shellwords.escape(filename)} #{backup_dir}"
end
try_fixing_it("mkdir #{backup_dir}", *instructions)
for_more_information('doc/ssh/README.md in section "SSH on the GitLab server"')
fix_and_rerun
end
private
def git_user
Gitlab.config.gitlab.user
end
def home_dir
return @home_dir if defined?(@home_dir)
@home_dir =
begin
File.expand_path("~#{git_user}")
rescue ArgumentError
nil
end
end
def ssh_dir
return nil unless home_dir
File.join(home_dir, '.ssh')
end
def forbidden_files
@forbidden_files ||=
begin
present = Dir[File.join(ssh_dir, '*')]
whitelisted = WHITELIST.map { |basename| File.join(ssh_dir, basename) }
present - whitelisted
end
end
end
end
end
|
